redbullmarky

[!--quoteo(post=360437:date=Mar 31 2006, 07:30 PM:name=sford999)--][div class=\'quotetop\']QUOTE(sford999 @ Mar 31 2006, 07:30 PM) [snapback]360437[/snapback][/div][div class=\'quotemain\'][!--quotec--] You could also try adding image verification to the script where the user has to put in a string of letters and numbers before being able to send the form. [a href=\"http://www.devpapers.com/article/149\" target=\"_blank\"]http://www.devpapers.com/article/149[/a] is an easy to follow article [/quote] that is a good idea, and very good for stopping bots, but it wouldnt stop me just bombarding the guestbook with several hundred/thousand (or as many as i could be bothered) spams. try some/all of these: 1, strip tags as i mentioned above. 2, create a function that checks for certain words (drug, penis, etc etc. you know the ones) 3, why publish them straight away? have some form of moderation first so that a post does not appear on your page immediately. 4, flood control. stop users/bots posting anything within a certain amount of time. in fact, as it's a guess book and not a forum, why would someone want to post more than once anyway? maybe even restrict it to one a day. 5, you say it was attacked earlier today. going by the time you posted this topic (2.39PM according to what i see) and the time it is now (19:42PM here), they're still there. all of them. even if you don't follow any of steps 1-4 above, isn't there something you can do MANUALLY at least, rather than leave it there to look bad and encourage others to test spamming out? hope that helps cheers

[!--quoteo(post=360281:date=Mar 31 2006, 09:04 AM:name=flash gordon)--][div class=\'quotetop\']QUOTE(flash gordon @ Mar 31 2006, 09:04 AM) [snapback]360281[/snapback][/div][div class=\'quotemain\'][!--quotec--] 2 days later and that code isn't there any more :( [/quote] haha yeah i guess whilst they were too blind to notice it in the first place, they weren't too blind to keep tabs on their site logs... how much confidence do you get in all these security updates and the forthcoming Windoze Vista if you see stuff like this? lol the part i posted tho is literally exactly what was in the stylesheet until today...

Hi the 'date' function is quite useful, but depends on how/where, etc you want to use it. but from the manual: [a href=\"http://uk2.php.net/date\" target=\"_blank\"]http://uk2.php.net/date[/a] [code] // whether in daylight savings time or not echo date("I"); // difference to GMT in hours (eg, +0200) echo date("O"); // as above, but with colin (eg +02:00) echo date("P"); [/code] hope that helps a little more Cheers Mark

[!--quoteo(post=360399:date=Mar 31 2006, 05:14 PM:name=bqallover)--][div class=\'quotetop\']QUOTE(bqallover @ Mar 31 2006, 05:14 PM) [snapback]360399[/snapback][/div][div class=\'quotemain\'][!--quotec--] 2) I don't have access to anything outside the web-tree with my provider, just my web space. So no cigar for me :) [/quote] very rare that you can't access at least one level outside of your root. most hosts provide you with access to at LEAST the level directly under your public_html/whatever folder. [!--quoteo(post=360399:date=Mar 31 2006, 05:14 PM:name=bqallover)--][div class=\'quotetop\']QUOTE(bqallover @ Mar 31 2006, 05:14 PM) [snapback]360399[/snapback][/div][div class=\'quotemain\'][!--quotec--] 4) I think you can spoof $_FILES['whatever']['type'], as it's just the MIME type sent by the browser. Though I haven't tried this. [/quote] not sure about this one, if i'm honest. but as with most things, it's one less thing to be concerned about and one less thing for someone to take advantage of, i guess. Cheers Mark

[!--quoteo(post=360376:date=Mar 31 2006, 03:26 PM:name=bqallover)--][div class=\'quotetop\']QUOTE(bqallover @ Mar 31 2006, 03:26 PM) [snapback]360376[/snapback][/div][div class=\'quotemain\'][!--quotec--] Right let me rephrase this question. If a directory on my site is 777, how would someone go about uploading to it? Would they have to compromise one of my scripts (code injection, Cross-site scripting, etc.) or could they simply anonymously FTP to it and upload? This is really holding me back and I'm sure it's elementary knowledge. Cheers. [/quote] i believe that the only way to upload a file to your server is via sloppy coding of your upload script. if it's secure, then no extra files will be uploaded. here's a few points just incase you're paranoid or not: 1, rename the admin directory to something a little less obvious. whilst it doesn't really matter, it shows that you're predictable, just like people who use their dogs/kids/wife's/boyfriends name as a password. 2, there are ways (not too complex either), especially with images, to keep the files outside of the web tree altogether. it means that without a script (which you can bullet-proof as much as you like) there's no way to access certain content. 3, before you do anything with a file uploaded via your form, make sure that you THOROUGHLY scrutinize EVERY element of $_FILES. including 'size', 'type', everything. leave no room for anything you can consider slightly unwanted. if i wanted to p*ss someone off, and i knew the script would let me, i'd be happy enough to upload a several GB file. bye bye goes all your bandwidth and loads (if not all) of your disk space allowance for the month. yet it's still surprising how many people don't check for the size of a file before accepting it with open arms. 4, elaborating on point 3 above, DO NOT rely on the extension of the file to tell you what the file contains. there's nothing wrong with you checking, but check $_FILES['whatever']['type'] to make sure that the filetype is the sort of file youre happy to accept. i'm sure there's points that would stretch my list into hundreds of things ,but these are the ones i always start with. hope it helps cheers

[!--quoteo(post=360358:date=Mar 31 2006, 02:52 PM:name=Grande)--][div class=\'quotetop\']QUOTE(Grande @ Mar 31 2006, 02:52 PM) [snapback]360358[/snapback][/div][div class=\'quotemain\'][!--quotec--] Yess, that's true but the insert happens by a predefined package of Linux, Snort. So I'm not sure it's best to change that package, so for now I'm looking for a different solution . . . [/quote] if the package is just a standard package of php scripts, then why not change it? seriously, it's going to be the easiest way for you, and will take 1 line of code. a call to 'mail' inserted in the right place (ie, after the INSERT/UPDATE query is called). other ways (such as the cronjob idea) will require alot more effort. and even with a cronjob or a normal script, how do you propose to find out if a table has changed without having something to compare it to? ok, so you could log the 'mysql_num_rows', but what happens if a row is edited, and not inserted? you'll get the same number of rows back = no notification, etc. just find the INSERT and UPDATE parts of the script and stick a 'mail' call after them. you could be done and dusted within about 10 minutes (9 mins to find the right part, 1 to add the modifications).

[!--quoteo(post=360353:date=Mar 31 2006, 02:39 PM:name=m2e)--][div class=\'quotetop\']QUOTE(m2e @ Mar 31 2006, 02:39 PM) [snapback]360353[/snapback][/div][div class=\'quotemain\'][!--quotec--] Hi there, I have a very simple guestbook on my website : [a href=\"http://www.ment2excel.com/guestbook/guestbook-view.php\" target=\"_blank\"]http://www.ment2excel.com/guestbook/guestbook-view.php[/a] Today it seems it has been attacked by some random messages. This is not the first time this has happend, but it has never been to this extent. Is there anything that can be done to stop this? Is it a problem with my code, allowing this to happen? Thanks, Russell [/quote] hi Russell If your code's not too big, can you post it? Cheers Mark you allow HTML tags, which is not necessarily wise. unless that's the way you want it, use strip_tags to get rid of <A> links, etc (ie, any HTML) [code] $content = strip_tags($content); [/code] you can specify to leave certain tags and strip the rest. check [a href=\"http://www.php.net/strip_tags\" target=\"_blank\"]http://www.php.net/strip_tags[/a] for info. Cheers Mark

if you have a look at [a href=\"http://www.php.net/mysql_free_result\" target=\"_blank\"]http://www.php.net/mysql_free_result[/a] and some of the user comments, you'll possibly find that wildteen88's suggestion to use mysql_free_result is spot on.

cronjob?? why?? i really apologise if i'm missing the point here, but surely you can just stick a call to 'mail' function directly after executing the INSERT query? Cheers Mark

a couple of scripts that i've paid for, one for example that allows DOC's to be viewed as plain text from your website, are encoded by Zend Encoder I think. Makes it look as jumbled garble. All it needs is Zend Optimizer to be installed on the server, but I'm finding most hosts either have it or will put it on for you. I've got a VPS so i had to install it myself but you can't run encoded PHP files without it. the way redarrow has done it, i've seen used too. only problem with it is it just takes a little bit of time. and considering the issue is to protect them, the people who are most likely to WANT to unprotect them are also the people that are easily ABLE to. And the problem with this way, compared to Zend, is that it's slow as it uses a script to decipher it wheras Zend uses a compiled program to do it. like he said tho, it's a good-ish way of hiding parts of the source. i believe that Zend Optimizer+Encoder (or programs that work identiacally) are the only real ways to go to protect PHP scripts properly.

[!--quoteo(post=360124:date=Mar 30 2006, 08:53 PM:name=Masna)--][div class=\'quotetop\']QUOTE(Masna @ Mar 30 2006, 08:53 PM) [snapback]360124[/snapback][/div][div class=\'quotemain\'][!--quotec--] Hmm...I see the port in the back of the computer to which that plug would be connected, but I still can't find that cord anywhere. I searched the box like 7 times, and it's no where to be found. Darnet. [b]Edit:[/b] I just checked the Apple website for what comes with the iMac, and that adapter isn't listed; it is for the PowerBook. That would explain this. [/quote] yeah i had a look around too - "sold seperately". they're about £10 here (i think $18 ? ) but absolutely essential :) . looks like since they released the powerbook they've decided to rake in a bit more cash on extras...i've read in a few places that the powerbook one is compatible, but best ask your Mac dealer... [!--quoteo(post=360124:date=Mar 30 2006, 08:53 PM:name=Masna)--][div class=\'quotetop\']QUOTE(Masna @ Mar 30 2006, 08:53 PM) [snapback]360124[/snapback][/div][div class=\'quotemain\'][!--quotec--] By the way, how do you add a seperate folder for a separate email account with Mail? I figured out how to link 2 accounts, but new messages for both accounts are shown in the same Inbox folder. Thanks in advance. [/quote] just set up all of your accounts as normal (Mail/Preferences-->Accounts). all your accounts should be seperate in the left hand panel. one you're done, the Inbox has all of your accounts in it as subdirectories. hope that helps :)

have you checked the manual? ftp - File Transfer Protocol - [a href=\"http://www.php.net/ftp_connect\" target=\"_blank\"]http://www.php.net/ftp_connect[/a] fsockopen - Sockets - [a href=\"http://www.php.net/fsockopen\" target=\"_blank\"]http://www.php.net/fsockopen[/a] definitely the best place to start. Cheers Mark

in this bit: [code] echo generate_calendar(date('Y', $time), date('n', $time), $days); [/code] i'm not sure where youre setting up the values of the $days array

[!--quoteo(post=360000:date=Mar 30 2006, 02:24 PM:name=JustinK101)--][div class=\'quotetop\']QUOTE(JustinK101 @ Mar 30 2006, 02:24 PM) [snapback]360000[/snapback][/div][div class=\'quotemain\'][!--quotec--] Humm, I kind of thought that was the point of using Post. Once the form is submitted, all the values are updated into a variables which can be referenced by the field name. So name goes from $_POST['name'] to just $name. Let me play around with my code and see if I can get addslashes to fix the problem though. [/quote] they CAN be. but it's very bad practice and relies on Register_globals to be turned on in your php config file. and as this is generally turned off nowadays by default, and will eventually disappear altogether, youre best to use the full syntax. on a safety note - if you don't explicitly specify where youre getting the data from (ie $_POST, $_GET, $_COOKIE, etc) then what happens if a variable is supposed to be set via posting of a form but someone sticks a URL parameter in your script? opens up all sorts of issues, not to mention potential clashes with other variables.

if all the posts in a topic are parsed with the same function, how come earlier posts work and new ones don't?

Hi all I've been using this site for a while now and I'm generally wondering what the REAL difference between the PHP Help and the PHP Newbie Help forum is? Very often i see questions in PHP Help such as: [!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]how do you add 3+4 in PHP? I only started this week so have no idea. is there any benefits anymore of having these two forums seperate? Maybe I'm looking at it from the wrong angle or something... Cheers Mark

this might help too: [a href=\"http://uk2.php.net/chmod\" target=\"_blank\"]http://uk2.php.net/chmod[/a]

if a value comes from $_POST, then ALWAYS refer to it as $_POST['company_name'], not $company_name. even with the submit button, which has a $_POST value of its own. same with the URL. if you're expecting something from the URL, ALWAYS use $_GET. not only does it keep things secure, but when it comes to debugging your code in the future, having $_POST and $_GET in their right places will make things easier to see where you expect variables to come from. either way, you can still access the $_POST array in the way i mentioned, regardless of how you refer to the values afterwards. cheers Mark

hi for your first problem, you should be able to use 'addslashes' to escape your quotes, so: joe's will become joe\'s in your code but the slashes will dissappear when you use 'echo $row['company_name']. try it: [code] document.getElementById('layer2').innerHTML = '<? echo addslashes($row['company_name']); ?>'; [/code] as for your second bit - i'll use 'trim' as an example: this if you want to alter the post vals directly [code] foreach($_POST as $key=>$current) {    $_POST[$key] = trim($current); } [/code] or this if you want to deal with the post vals but don't wanna do processing directly on the $_POST array: [code] $postvals = array(); foreach($_POST as $key=>$current) {    $postvals[$key] = trim($current); } [/code] you now have $postvals which is a processed equivalent of your $_POST array, leaving $_POST alone. hope that helps.

1, with Javascript or a META refresh 2, depends how you want to parse them: [code] $sentence = "The quick brown fox"; echo substr($sentence,10); [/code] or [code] $sentence = "The quick brown fox"; $words = explode(" ", $sentence); echo $words[2] . ' ' . $words[3]; [/code] or various other ways. generally depends what you want to do it for. Cheers Mark

there's a possibility that some types of data being read from one table can't be put directly into the other, possibly due to quotes, etc. change this line: [code] $insertquery = mysql_query($insertsearch) or die(mysql_error()); [/code] and see if you get an error

[!--quoteo(post=359218:date=Mar 28 2006, 12:07 PM:name=redbullmarky)--][div class=\'quotetop\']QUOTE(redbullmarky @ Mar 28 2006, 12:07 PM) [snapback]359218[/snapback][/div][div class=\'quotemain\'][!--quotec--] anyone? [/quote] ok one more go ... anyone?

[!--quoteo(post=359897:date=Mar 30 2006, 05:08 AM:name=Masna)--][div class=\'quotetop\']QUOTE(Masna @ Mar 30 2006, 05:08 AM) [snapback]359897[/snapback][/div][div class=\'quotemain\'][!--quotec--] Where should I plug it into? I'm using the iMac. [b]Edit:[/b] I re-read, and saw you said the adapter came with the Mac. Where is it? Like I said, I have the iMac; are you sure the iMac comes with one? [/quote] well i'm not sure if the adapter came with your iMac but it came with my PowerBook G4. but had a quick look at the [a href=\"http://www.apple.com/imac/whatsinside.html\" target=\"_blank\"]new iMac specs[/a] and it says it has a mini-DVI output. the adapter youre looking for looks like: [img src=\"http://80.194.98.132/punchoutcommerce/images/products/cables/25032004104000.jpg\" border=\"0\" alt=\"IPB Image\" /]. (pic from [a href=\"http://www.scotsys.co.uk\" target=\"_blank\"]http://www.scotsys.co.uk[/a] just so they don't get funny about it.) no major setup required. plug the small end into your mac, the monitor into the big end, turn of 'mirroring' in your display preferences and voila. drag anything you like and stick it on the other screen. word of warning too. once you get dual-screen and get used to it, you'll wonder what you ever did without it. very useful to have dreamweaver on on screen and drag all your testing browsers, etc onto the other.

[!--quoteo(post=359848:date=Mar 30 2006, 01:08 AM:name=Masna)--][div class=\'quotetop\']QUOTE(Masna @ Mar 30 2006, 01:08 AM) [snapback]359848[/snapback][/div][div class=\'quotemain\'][!--quotec--] Thanks for the response Semi. Is the MacMini anywhere near as powerful as, let's say, the iMac or even the Power Mac? When I first went to check out some Apple computers, a few LCD HD screens were hooked up to a MacMini but I didn't really do any hardcore testing, just some web browsing and things of that sort. I just added a gig of RAM to my Intel-based iMac, with a grand total of 1.5 gigs, and it's godly. I literally had every single program on the computer running at once, with no lag what so ever. Can the mini compare? Thanks in advance. [/quote] Hi Masna Sorry to answer a question aimed at someone else but i'm sure SA will have an opinion too on this. But just like going for a Mac over a PC in the first place, the difference between them all (from what i've seen & tried) all depends on what you want to use it for. the Mac mini is like the ipod mini or nano - it's all about cramming as much stuff into as small a space as possible, which to be fair was why people loved the ipod so much - they looked good and were small. a powermac G4/G5 is always gonna rip the pants off most, but from giving MacMini a blast - not a problem coping with anything whatsoever, even the most intensive programs such as Logic Pro. I'd probably say the mac mini and iMac are on a somewhat even playing field, with the PowerMac/Book being the captain. one more thing - and i don't see this built in as standard to PC's without some sort of performance screwup - and you may know of this already - go and grab your PC monitor. Dig out that little PC monitor adaptor thingy that came with your Mac. plug it in to your Mac and your monitor. Voila - Dual-screen without ANY effort at all. Works like a dream when coding/doing music/images. Anyway, I digress.

[!--quoteo(post=359796:date=Mar 29 2006, 09:21 PM:name=craygo)--][div class=\'quotetop\']QUOTE(craygo @ Mar 29 2006, 09:21 PM) [snapback]359796[/snapback][/div][div class=\'quotemain\'][!--quotec--] Yes I have had to do alot of this with my old server which was linux. From what I gather, if you would like to make it easier. Give the apache account access to FTP and connect that way. This will make the ownership of the files that of apache. Then you should just be able to chmod the folders 755 and you should be all set. If the FTP account you are using does not have the ability to change permissions then you will never be able to do any kind of chxxx command. Alot of php examples show commands to files and folders that are in the web root. This means that the apache user usually has access to these files and folders. Once you venture outside the root nothing you do from the web browser will work without giving rights to the apache account. Ray [/quote] Cheers Ray without wanting to sound stupid, can you dumb some of that down if you can? FTP and permissions, apart from what Dreamweaver does in the background, is farely new to me. Pretend i'm Bill Gates being taught how to use shampoo. Mark